Community Area

Product Review: SolarWinds Log and Event Manager

by
Brien M. Posey
[Published on 18 April 2012 / Last Updated on 18 April 2012]

When I was first asked to review SolarWinds Log & Event Manager, I assumed by the name of the product that it was a Windows Event Log Parser. In actuality however, the software uses agents deployed on the computers in your organization to monitor security issues in real time.

The Installation Process

For the purposes of this review, I downloaded the evaluation version of SolarWinds Log & Event Manager version 5.3.1. The download consisted of a 754 MB self-extracting executable file. When I ran the file, the contents decompressed and automatically opened the Quick Start Guide to the section that explains how to complete the installation process.

I thought that having the executable automatically open the relevant documentation was a very nice touch. Since the computer on which I was performing the review contains three monitors, I was able to display the documentation on one screen and the vSphere Client on another.

As you might have already figured out from the previous sentence, SolarWinds Log & Event Manager installs as a VMware appliance. I decided to install the product on an ESXi 4 server. According to the product’s documentation you will also need vSphere 4 or later, a 2 GHz or faster CPU, 8 GB of RAM, and 250 GB of hard disk space. While there is nothing all that remarkable about these requirements, I have to admit that the requirement for 250 GB of disk space caught me by surprise. I had initially created a 100 GB data store, assuming that 100 GB would be adequate. Later after I had completed my review, I learned that the preferred method for short term evaluation deployments is to thinly provision the disk in an effort to minimize physical disk consumption.

Rather than using my own knowledge to set up the virtual appliance, I decided to follow the instructions from the Quick Start Guide since the guide was already on screen. The Quick Start Guide seems to have been written for an earlier version of Windows than what I was using (perhaps XP). The instructions in the guide did not match up to what was on my system. For example, the Quick Start Guide indicated that the virtual appliance file was located at C:\Documents and Settings\Administrator\Desktop\SolarWinds Log & Event Manager. On my system, the path used was C:\Users\Administrator\Desktop\SolarWinds Log & Event Manager. It’s a minor discrepancy, but it shows that there is a need for the documentation to be updated.

Likewise, the documentation provides instructions for importing an OVA file into the vSphere Client. While I have no doubts that the documentation is accurate for version 4 of the vSphere Client, I was using version 5, which is designed to import OVF files by default. I was still able to import the OVA file, but there was an extra step or two. It would be nice to see SolarWinds update the documentation to reflect the vSphere Client 5.

Getting Started

The next step in the process was to power up the virtual appliance and then to open the console. This shouldn’t be a big deal for anyone who is familiar with VMware, but I would like to see the Quick Start Guide list the specific steps for doing so – for the benefit of anyone who might be new to VMware. The PDF version of the Quick Start Guide does offer a bit more detail than the auto-run pop-up guide, but I still think that some extra detail might be helpful.

It is also worth noting that you will need a DHCP server so that the virtual appliance can acquire an IP address. Most organizations should already have a DHCP server in place, but I wanted to mention it since the DHCP server is a requirement. It is worth noting that after booting the virtual appliance for the first time, you can assign a static IP address if needed.

Once the DHCP server assigns an IP address to the virtual appliance, the next step in the process is to install the desktop component. The desktop component is a user interface that gets installed on a desktop computer and that acts as a front end to the virtual appliance. I found installing the desktop component to be a completely intuitive process.

After the desktop component is installed, you must simply provide it with the virtual appliance’s IP address and a password that you can use to log in with, and you are ready to go. You can see what the user interface looks like at this point in Figure A.

Figure A: This is what the user interface looks like when you log in for the first time.

As you can see in the figure above, the interface is divided into a series of tabs. The Ops Center tab – which is selected by default – provides access to simulated data, which can be used to help you to get a feel for the software. The Ops Center tab also contains links to the product’s documentation, which I view as a major plus. For the purpose of this review, I am using simulated log data rather than actual data provided by the agents because I am working in an isolated lab environment and the agents would detect little, if any security related activity.

Monitoring Alerts

The Monitor tab is the heart and soul of SolarWinds Log & Event Manager. This tab allows you to see all of the security alerts that are occurring. If you look at Figure B, you can see that the upper pane displays all of the various alerts. Because these alerts typically stream in more quickly than they can be observed, there is a Pause button that you can use to pause the view.

Figure B: The Monitor tab is where the action happens.

Of course in the real world it would be unlikely that someone would sit and stare at the Monitor screen all day watching security alerts. As such, the product offers several features that make the alerts more digestible.

For starters, you have the ability to filter alerts based on your own criteria. If you look back at Figure B, you will notice that there are a number of default filters that you can click on to view specific types of alerts, but you also have the ability to create your own filters. Custom filters are created by using a series of pre-defined conditions and notifications. For instance, if you look at Figure C, you will see a filter that displays a popup message and plays a sound when a Network Attack Alert occurs.

Figure C: You can create your own filters.

Taking Action

By far my favorite thing about SolarWinds Log & Event Manager is that it is more than just an event log parser. The tool actually lets you take action when a security threat occurs. As you can see in Figure D, the software allows you to respond to an alert by clicking on the alert, clicking the Respond button, and then choosing the action that you want to perform. For example, you can block the IP address, detach a USB device, disable networking, enable a domain user account, kill a process, log a user off, or send a pop-up message.

Figure D: You can take action against a security threat.

Incidentally, taking action against a security threat does not have to be a manual process. The Build tab lets you build custom rules that detect specific conditions and then take action. For example, in Figure E I have created a rule that checks to see if a virus scanner insertion IP matches an IP address that I have specified. If a match occurs then the machine is shut down. If you look at the Actions section of the figure, you can see that there are far more actions available to rules than what are available if you manually respond to an event.

Figure E: You can create your own rules.

Reporting

As you would expect from a tool like this, there are a number of tools available for assessing the overall state of the organization. For example, the Explore tab contains a number of different dashboard views, such as the one shown in Figure F. Likewise, the software is capable of generating a large number of reports. Reports can be created manually or report creation can be scheduled. Depending on the volume of alert data that you are working with, reports can take a while to create, so it’s a good idea to schedule the reports if you can.

Figure F: This is one of the dashboard views that are available through the Explore tab.

Conclusion

All in all, seems like a solid product. For the most part it is relatively intuitive to use, although it will take some time to explore all of the options that this product provides. My only beef with the product is that I wish SolarWinds would update and make some minor improvements to their Quick Start Guide. That aside, I think that SolarWinds has done a really good job in creating this software. Pricing for SolarWinds Log & Event Manager starts at $4495 US Dollars.

In closing, I give SolarWinds Log & Event Manager a rating of 4.5, earning the product a WindowsNetworking.com Gold Award.

Featured Links

Online Survey: The Definitive State of Load Balancing and High Availability

MSExchange.org, KEMP Technologies and numerous MSFT and VMware experts worldwide would like to invite you to participate in our confidential 6 question survey on Load Balancing and High Availability. This survey takes about 6 minutes and all participants who wish can leave their email address and register to win a $50 Amazon gift certificate.

The results of this survey will be used to create a white paper on the State of Load Balancing. Everyone who registers will also get a copy of the white paper.